Description
This article describes how FortiClient Endpoint Protection helps detects and blocks this ransomware attempt and automatically restores any files that may have been encrypted before detection.
A ransomware campaign has been detected targeting organizations in Ukraine and Poland using a previously unidentifiable ransomware payload that labels itself as 'Prestige Ransomware' in the ransom note it drops after encrypting.
Microsoft Threat Intelligence Center (MSTIC) detected this ransomware campaign on October 11 and identified several notable features that differentiate it from other ransomware campaigns:
- The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks.
- The Prestige ransomware had not been observed by Microsoft prior to this deployment.
- The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper).
Scope
Configurations involve two products:
- FortiClient EMS 7.0
- FortiClient 7.0
Solution
The following describes the configurations on FortiClient EMS related to real-time Malware and Ransomware detection.
To be protected, FortiClient endpoints must have AV and Ransomware detection features enabled.
When the FortiClient endpoint is managed by FortiClient EMS, it must be registered and have its endpoint profile synchronized with the FortiClient EMS server.
To configure Malware protection and Ransomware detection on FortiClient EMS:
1) Go to Endpoint Profiles -> Malware Protection, and create a new profile. Alternatively, edit an existing profile.
2) Go to the AntiVirus Protection. Enable Real-Time Protection.
3) Go to the Anti-Ransomware Protection. Enable Protection.
4) Under Protected Folders, select Add file folder paths for Folders to be protected.
5) Under 'Action', it is recommended to set the Action to 'Terminate ransomware behavior'.
6) Set 'File Backup' option to enabled.
7) Save the profile.
Endpoint Profile example with the above configuration:
Enable 'Alert Email' for any ransomware detection, so administrators can get notified via email in an event of ransomware detection:
To view results of the detection on the FortiClient Endpoint:
When a ransomware is detected and blocked a notification will be displayed on endpoint:
FortiClient console shows ransomware event summary:
Ransomware detection and block event details on FortiClient Console:
Ransomware affected files are roll-backed and restored:
Ransomware event information on EMS:
FortiClient RAW Log for Ransomware Detection:
11/1/2022 8:44:46 PM warning antiransomware date=2022-11-01 time=20:44:45 logver=1 id=98000 type=securityevent subtype=antiransomware eventtype=status level=warning uid=FBED7F00DC964AC58FEDC3029DB900B3 devid=FCT8003010775759 hostname=AV-TEST-WIN10X6 pcdomain=N/A deviceip=192.168.1.3 devicemac=02-00-45-99-04-45 site=default fctver=7.0.7.0345 fgtserial=N/A emsserial=FCTEMS3582433691 usingpolicy=Default os="Microsoft Windows 10 Professional Edition, 64-bit (build 19041)" user=Admin msg="AntiRansomware has found a suspicious process" file=C:\Users\Admin\Documents\1473344961.exe action=kill default_used=1 checksum=5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57
FortiClient RAW Log for Ransomware File Restore (sample):
11/1/2022 8:44:45 PM warning antiransomware (repeated 1 times in last 0 sec) date=2022-11-01 time=20:44:45 logver=1 id=98001 type=securityevent subtype=antiransomware eventtype=status level=warning uid=FBED7F00DC964AC58FEDC3029DB900B3 devid=FCT8003010775759 hostname=AV-TEST-WIN10X6 pcdomain=N/A deviceip=192.168.1.3 devicemac=02-00-45-99-04-45 site=default fctver=7.0.7.0345 fgtserial=N/A emsserial=FCTEMS3582433691 usingpolicy=Default os="Microsoft Windows 10 Professional Edition, 64-bit (build 19041)" user=Admin msg="AntiRansomware has recovered a file" file="C:\\a\\ballons - Copy (2).jpg"
Alert email message:
